fix CSRF checking so that localhost always works
This commit is contained in:
parent
f7b4fd644b
commit
98e0c3e89c
@ -2,23 +2,38 @@ package http
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
|
"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler {
|
func checkCSRF(r *http.Request, publicURL *url.URL) error {
|
||||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
||||||
|
if ipStr, _, err := net.SplitHostPort(r.Host); err == nil {
|
||||||
|
if ip := net.ParseIP(ipStr); ip != nil && ip.IsLoopback() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
refererURL, err := url.Parse(r.Referer())
|
refererURL, err := url.Parse(r.Referer())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
|
return errors.New("invalid Referer")
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if refererURL.Scheme != a.params.PublicURL.Scheme ||
|
if refererURL.Scheme != publicURL.Scheme ||
|
||||||
refererURL.Host != a.params.PublicURL.Host {
|
refererURL.Host != publicURL.Host {
|
||||||
|
return errors.New("invalid Referer")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := checkCSRF(r, a.params.PublicURL); err != nil {
|
||||||
apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
|
apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user